A judge has dismissed a class-action lawsuit against U.S.-based arts and crafts retailer Michaels, filed after the retailer warned customers in early 2014 that malware-wielding attackers had successfully stolen an estimated 2.6 million payment card numbers over an eight-month period beginning in May 2013. The lawsuit sought damages in part based on the allegation that the retailer's customers were at increased risk of suffering fraud for an unforeseeable period into the future.

Michaels is just one of a number of organizations in recent years to have suffered a data breach after falling victim to a point-of-sale malware attack. Target and Staples are two other high-profile victims from the retail sector, although a number of other POS-using organizations - including businesses in the restaurant and hotel industries - have also fallen victim to such breaches.

"At least to date ... 'injury' has been defined exclusively in financial terms."

Many of those breaches have triggered class-action lawsuits by consumers whose payment card data was compromised, oftentimes alleging negligence on the part of the breached organization, or else the potential for their suffering financial harm. And many times, it's tough not to argue that breached organizations failed to have robust enough security programs (see Why POS Malware Still Works).

But the vast majority of these data-breach lawsuits get dismissed. That's because judges often find that plaintiffs' attorneys have failed to prove that consumers suffered an actual or threatened injury, under what's known as Article III standing (see Why So Many Data Breach Lawsuits Fail). And at least to date, legal experts say, such "injury" has been defined exclusively in financial terms. In other words, if there were no out-of-pocket losses for consumers whose information was breached, then such cases typically get dismissed.

Establishing standing also became more difficult in 2013, after the U.S. Supreme Court ruled in the case of Clapper v Amnesty Int'l that standing could not be based on the potential for a future injury, according to data breach and privacy attorney Linda Kornfeld, who's the managing partner of the Los Angeles office of law firm Kasowitz, Benson, Torres & Friedman.

Thus it's no surprise that, in the Michaels case, U.S. District Court Judge Joanna Seybert ordered on Dec. 28, 2015, that the lawsuit be dismissed, after finding that plaintiff Mary Jane Whalen, and by extension any other victim of the breach, couldn't prove that they'd suffered any harm.

Alleged Fraud in Ecuador

Whalen's suit had sought class-action status on behalf of herself and other breach victims. She told the court that after she used her American Express card at Michaels in December 2013, it was then used by someone physically located in Ecuador to try and buy a gym membership, and again to try and purchase concert tickets.

Crucially, however, "Whalen does not allege that the attempted charges were approved or that she suffered any financial loss," Seybert wrote. "Rather, she cancelled her credit card and has not experienced any other attempted fraudulent charges," and would not have had to pay any such charges either, given American Express's policy that cardholders "are not liable for fraudulent purchases."

Similarly, she dismissed Whalen's assertion that the lost time and money she incurred by having to purchase identity theft protection services gave her the right to sue Michaels. Referencing Clapper, Seybert said that "highly speculative" injuries do not give plaintiffs Article III standing, and noted that just because a consumer purchased identity theft monitoring did not then give them the right to sue an organization. In the Supreme Court's language: "If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a non-paranoid fear."

What About Future Harm?

But what about Whalen's assertion in court documents that she might suffer future harm from the breach, since "fraudulent use of cards might not be apparent for years"? This is relevant because security experts are warning that so-called "sleeper fraud" - criminals using a consumer's PII to open a new account, and then defaulting on the payment or loan at some future date - is continuing to grow (see What is "Sleeper Fraud," And Why Must Banks Beware?).

A related risk: security experts have been warning that cybercriminals can now monetize almost any form of PII, since it helps attackers to better refine and customize their social engineering and fraud-related schemes for individual victims (see TalkTalk Lesson: Prepare for Breaches). For example, the ringleader of a penny-stock-scheme allegedly paid freelance hackers to steal customer details from 12 organizations - including financial services heavyweights JPMorgan Chase, Fidelity Investments and E*Trade Financial - then used that PII to target the high-net-worth individuals with offers that seemed too good to refuse (see Charges Announced in JPMorgan Chase Hack).

Case Closed?

In the Michaels case, however, no details of stolen PII have ever come to light. Indeed, the judge notes that according to Michaels, beyond the stolen card data, "there was no evidence that the hackers retrieved any other customer information, such as names, addresses, or PIN numbers."

Accordingly, "Whalen has failed to allege an injury that is 'certainly impending' or based on a 'substantial risk that the harm will occur,'" Seybert writes, again citing the Clapper case. She also undercuts Whalen's claim that fraud might not be apparent for years, noting that it's been two years since the breach occurred, and Whalen has seen no more signs of fraud.

Thus Seybert dismissed the suit, albeit without prejudice. That means Whalen is free to file another lawsuit in the future, based on the same claim.

But as far as I'm concerned, this case looks closed. Nearly two years down the line, we haven't seen any new breach-related facts come to light - most notably, signs that more types of data went missing than Michaels has claimed. While I do think that consumers should be able to file breach-related lawsuits against organizations that failed to properly protect their PII, in this case, thankfully it's hard to see that consumers suffered any real harm.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.